This Privacy Policy gives you an overview of the processing of your personal data in the context of the use of Koko's offers, online services and mobile applications (hereinafter referred to as the ‘Services’). Furthermore, this Privacy Policy informs you about your rights and the possibilities you have to control your personal data and to protect your privacy. The previous way of processing your data will not change. Due to legal changes, only the specified scope of information in this Privacy Policy is more comprehensive than before. We have always taken the protection of your personal data very seriously and - as before - will continue to implement appropriate organisational, contractual and technical measures to protect your data from unauthorised or unlawful processing and against accidental loss, destruction or damage.

1. Details of the Data Controller

Responsible for data processing is Ideawise Limited, Room 604, Alliance Building, 133 Connaught Road, Central, Hong Kong, Hong Kong. Our representative is SmH ServiceCenter.de GmbH, P.O. Box: 20 04 34, 13514 Berlin, support [at] hallokoko.com. Ideawise Limited is also meant when the terms ‘we’ or ‘us’ are used below. You can contact our data protection officer at: dataprotection [at] hallokoko.com. Please note that we are a company based outside the European Economic Area (‘EEA’). As far as you use our Services and data is being processed, these data are transferred to a so-called "third country". Details can be found in section 6 below.

2. Information on Processed Data Types and Their Origin

If we provide the Services for your use, we process personal data from various sources. This is data that we collect automatically - for example, when you visit a website or open an app - as well as other data that you have additionally provided to us.

a. Types of data that we automatically collect

As soon as you open our website or our apps, you submit technical information to our servers. This happens regardless of whether you subsequently register with an account with us to use the Services or not. In any case, this data is recorded every time

When you visit our website:

Each time a page is accessed, access data is stored in a file, the so-called server log. The following data is stored: Your IP address, the time, the status of your website visit (status means in this case whether the visit of the website was successful or not) as well as the request that your browser has made to the server to open the page, the amount of data transferred and the website from which you came to the requested page (referrer), as well as the product and version information of the browser used (user agent).

when you open our apps:

When using our mobile applications, the following data is stored:

IP address

App identification number, the name of the app, the version number of the app, and the information of which App Store the app has been downloaded from

Name of the device, type of operating system (iOS / Android)

Name and version number of the operating system of your device

Language of the mobile device

If you create a profile on our Services, we will assign a so-called Unique User ID to it. Besides your chosen profile name, the unchangeable Unique User ID allows us to uniquely assign your profile. We also use cookies and API tokens to process this data. Cookies are small text files that you download to your device that store the above information about you when you use our Services. API tokens are unique identifiers that we use to authenticate you when requesting access to our Services. To learn more about how cookies and API tokens work, which cookies and API tokens we use, and how you can opt-out, click here.

b. Types of data you transmit to us

In addition to the data we receive automatically from all visitors of our Services, we also process other data from registered app users. The exact amount of this data depends on how you use the Services. Personal data that you upload publicly to your profile will be visible to other users (and searchable via the search function within the Services). Your privacy settings can be determined by yourself in your profile settings. The data you provide us with includes:

i. User account / profile data:

Types of data you transmit to us

Gender

Sexual orientation

Email address (either your personal email orin case of Social Sign-On, the e-mail address you use on Facebook)

ii. Optional profile details:

The use of the Services is easily possible with only the aforementioned information. However, you may also provide additional personal information in your Profile, such as physical characteristics, personal interests or detailed information about your sexual preferences, political opinions or ideological beliefs. If you like, you can upload personal photos of yourself to your Profile. The scope of this optional data can be determined by yourself via the respective input fields in your Profile settings.

iii. Location data:

When you use our Services, we process your approximate location information to allow you to contact users in your area. You select your location manually when registering or, alternatively,you can give your consent to access the location data transmitted by your device (depending on the device, e.g. via GPS). If you do not select your location manually or grant access to GPS, your location will be determined via IP comparison with MaxMind IP. For more information about these vendors, see Figure 4. Location information and settings can be changed in your Profile or device settings.

iv. Communication data: User

If you communicate with other users of our Services, we save your conversation history so that the conversation history with your chat partners can be permanently displayed.

v. Communication data: Customer service

When you contact Customer Service, written communications between you and our service team staff and notes on such transactions are stored so that we can provide uninterrupted customer service when the communication thread is followed up by other members of our service team.

vi. Notification of Device Access

If you grant Koko access to your camera or photo album, we will only receive the data you actively provide, e.g. photos you upload to the Services and nothing beyond. The same applies to you consenting to the delivery of notifications and the way in which they are displayed. You can change these settings at any time in the device settings and revoke your consent there. Your list of contacts will never be accessed at any time.

vii. Social Sign-On:

You can also use the ‘Login with Facebook’ feature to create your profile. If you choose this feature, you transmit your username on the social network at https://www.facebook.com ("Facebook"), your email address with which you have registered on Facebook, as well as your date of birth and profile photo to us.

3. Processing Purposes & Legal Bases

We process your data exclusively for the following defined purposes:

To allow you and other users to use the Services and to ensure their functionality

To provide you with additional Services that you have purchased

To keep you up-to-date with relevant information about our Services and to send you system notifications to the email address you provide

To enable the exchange with customer service in case of any such queries

To assess information published on your profile or shared by you through the Services

To disclose your personal data to third parties if we are legally obliged to do so

To assert legal claims and to defend against legal disputes

To ensure IT security and correct operations of our systems

In doing so, we rely on various legal bases in accordance with the so-called General Data Protection Regulation, the legal framework for the European-wide standardisation of data protection laws (‘GDPR’). We refer in detail to the following legal bases:

Your consent

When you visit the website, you agree to our cookie guidelines in a cookie bar. If you have given your consent to the processing of personal data for specific purposes, this consent ensures the legality of such processing. By registering and creating your profile, you expressly agree to its use for the purposes described in detail in this Privacy Policy by ticking the respective box before confirming the registration form. Accordingly, if we process your data, it is because you expressly allowed us to do so when you registered. Your consent is therefore the most important legal basis for the processing of your personal data by us. If you provide us with information about your sexual orientation or preferences, we will process this data exclusively on the basis of your consent.

Fulfilment of contractual obligations

The processing of personal data takes place simultaneously but also for the provision of the Services in the context of the performance of our contract with you. In many cases, the processing of data is not only justified by your consent, but also because it is necessary to fulfil our contract with you: In order to fulfil your entitlement to the Services described in more detail in our General Terms and Conditions, for example, it may be necessary to process your personal data, e.g. if you wish to pay for your membership at Koko+, and the processing of data for payment processing is required for this purpose.

Safeguarding legitimate interests

By registering to use the Services, you consent to the processing of your data in accordance with this Privacy Policy. That is why we process your data, in principle, because you have allowed us to do so. However, there are some cases in which we would be entitled to process your data without your consent because it is necessary to protect our legitimate interests (or the interests of third parties). In this respect, the purposes for which we process your data also represent legitimate interests. We pursue legitimate interests, for example, if we check images or texts for content relevant under criminal law or if we take measures to secure virtual domiciliary rights. In these cases, we will not ask you in advance whether you agree to this processing, as processing is otherwise permitted.

Legal requirements or public interest

In addition, we are legally obliged and entitled to provide certain information to criminal prosecution or tax authorities bodies in individual cases upon request.

4. To Whom We Transmit Your Data

We treat your personal data with care and confidentially and will only share them with third parties to the extent described below and not beyond.

a. To other users:

As our Services are platforms for getting to know each other, it is in the nature of things that we transmit your profile data and other data (e.g. messages you write and other communication you conduct with other users of the community) to the corresponding users of the Services at your request and on your behalf.

b. To group companies:

We transfer data to our affiliated companies, which form a group with us, within the framework of strict data protection requirements. This is the case, for example, when you make a customer service request. We will then forward this request to SmH Servicecenter.de GmbH, a service company associated with us. In addition, our development company, TheNetCircle Network Co Ltd. and our Community Management and Marketing teams at Playamedia S.L. receive the information they need to ensure the security and functionality of the Services.

c. To third parties:

In addition, we transmit data to external service providers that enable us to provide the Services. These include hosting providers and providers of analytics platforms. We require these service providers to comply with strict rules to ensure the security of your data when processing personal data on our behalf. Such processing is generally based on contractual regulations. When we state - further below - that there is ‘no adequate level of data protection’, it means that there is no adequacy decision by the European Commission - in these cases, however, we regulate the processing on the basis of other guarantees, such as Data Processing Agreements or standard data protection clauses.

Google

Google LLC is a Privacy-Shield certified provider from the USA. Google Analytics is used to analyse the behaviour of users of our Services. In order to display distances between members or approximate location data in the regional search, we use the services from Google Maps (i.e. Google Geocoding API and Google Places API). We use Google AdWords and its so-called conversion tracking. When you click on an ad placed by Google, a conversion tracking cookie is generated. This cookie loses its validity after 30 days, does not contain any personal data and is therefore not used for personal identification. Google Fabric (including Crashlytics and Answers) and Google Firebase help us monitor the performance of our mobile applications, identify crashes and analyse user behavior. For Android users we also use Google Firebase and its Firebase Cloud Messaging (FCM) service for sending push notifications which can contain personal data. YouTube videos are embedded in our Services in ‘enhanced privacy mode’. While no YouTube cookies are set by this particularly data protection-friendly type of embedding, loading suchpages leads to a connection with YouTube and the DoubleClick network nonetheless. Therefore, a click on an embedded video can trigger further data processing activities which we no longer control.

Apple

We use Apple (location USA, Privacy-Shield certified) and its Apple Push Notification Service (APNS) for sending push notifications to iOS users which can contain personal data.

Typeform

With this survey tool (location Spain, adequate level of data protection) we improve and maintain our community, through means of permanent feedback surveys, as well as regular quizzes, other types of surveys and evaluations. The type of information that is passed on to Typeform depends on the respective survey, and you also decide yourself what content your contribute to such activities.

Sparkpost

Sparkpost (location USA, Privacy-Shield certified) is a provider for sending emails. In order to supply you with information via e-mail, we transmit your email address. Sparkpost will delete your email address immediately after an email has been sent to it.

Facebook

We use Facebook (location USA, Privacy-Shield certified) to facilitate the ‘Log in with Facebook’ feature. All data required during the registration process (e-mail address, date of birth, profile photo) will be transmitted to us by Facebook, on your behalf. We use Facebook's Invite feature to allow users to invite friends from their group of friends on the social network and for usage analysis of our mobile applications. Facebook also publishes advertising through the so-called ‘Facebook Audience Network’ (FAN).

Adjust

Adjust (location Germany, adequate level of data protection) is used for the evaluation of usage statistics and for the analysis of marketing activities. When you open the app, Adjust collects installation and event data. We use this information to understand how our users interact with our app and to analyze mobile ad campaigns. For such an analysis Adjust uses your anonymized IDFA (iOS) or GAID (Android) and your anonymized IP address. It is not possible to identify you individually.

Cloudinary

This storage service (location Israel, adequate level of data protection) is used to store and deliver users’ videos and images.

Virtual Business Support

In order to approve uploaded images, we work with Virtual Business Support (based in the Philippines, no adequate data protection level). There, uploaded pictures are reviewed and categorised by qualified personnel.

New Relic

New Relic (location USA, Privacy-Shield certified) enables statistical evaluations of the speed of our apps. For this purpose, New Relic processes system data on hardware and software and times-of-use, so-called application data.

Atlassian

Jira and Confluence from Atlassian (location USA, Privacy-Shield certified) are online applications that we use for error management, troubleshooting and operational project management. Principally, no personal data is processed systematically, but in individual cases, when technical issues are reported , personal data like e.g. a username may be mentioned in so-called "tickets" in order to be able to correct these malfunctions in our technical applications as quickly as possible, especially in the case of malfunctions reported by users of the Services.

Slack

Slack (US site, Privacy-Shield certified) is an online application that we use for internal communication. Principally, no personal data is processed systematically, but in individual cases, when technical issues are reported, personal data like e.g. a username may be mentioned in so-called "tickets" and therefore also in internal chats of this platform, in order to be able to correct these malfunctions in our technical applications as quickly as possible, especially in the case of malfunctions reported by users of the Services.

Sentry

We work with "Sentry" from Functional Software, Inc. (US site, Privacy-Shield certified) to find and remove errors that occur in our backend. In the event of a crash or other unexpected errors, information such as the version of the operating system and technical data about the cause of the error is transmitted to Sentry. However, this information does not contain any personal data. We use this tool data solely to increase the stability of our applications.

Maxmind

Koko uses the GeoIO2-Precision database provided by MaxMind Inc. (US site, Privacy-Shield certified). The database contains approximate location/geolocation data for the IP addresses used. This allows us to offer you special services (e.g. approximate distance from other users, search function by location etc.), even if you do not grant us access to GPS data.

Advertising Networks & Affiliates

When you use our app, our ad networks and affiliates can use so-called device IDs to create an anonymous profile of your mobile advertising click behavior. In our app, we work with several mobile advertising partners, including the following companies (the link to their current Privacy Policy and an option to disable behaviour-based advertising, if any, can be found in our cookie matrix. Further information on the stored data can be obtained there.):

These cookies and device identifiers can be used to display personalised advertisements. A profile is also created based on look-alike information obtained which Google, Facebook and other third-party ad networks (see list above) receive due to your visits to other websites or apps on their networks. You can disable personalized advertising by changing the settings your device:

Android

On Android, this option is located in the app for Google settings. Depending on the device, this is called ‘Google Settings’ or just ‘Settings’. Under the menu item ‘Google’ -> ‘Ads’ you will find the option ‘Disable interest-based advertising’ or ‘Disable personalized advertising’, depending on the device. Selecting this feature will deactivate personalized advertising.

iOS

On iOS, this option is located in the ‘Preferences’ app. Under the menu item ‘Privacy’ -> ‘Advertising’ you will find the option ‘No Ad-Tracking’. The selection can be used to deactivate personalized advertising.

Review of Pictures / Fake Check

In exceptional cases (for example in cases of suspicion of fraud, reporting by other users, etc.) we use the following platforms for checking uploaded images and carry out a so-called fake check by uploading images to the respective search engines:

Other

We report data to authorities in the event of a legal obligation to do so, based on a request for information from such entitled authorities. All purchasing processes are handled either entirely through iTunes or Google Play, depending on the operating system, in accordance with their Terms & Conditions and Privacy Policy.

5. Processing of Payment Data

If you wish to use your Profile as a Koko+ account or use other paid offers, depending on the payment method you choose, you will provide such information directly to the Apple App Store or Google Play Store, having accepted Terms and Conditions and Privacy Policies. You make your purchases directly through the respective store.

6. Transmission to Countries Outside the EU or the EEA

All servers of the Services are located in the EEA, hence initially your data does not leave the EEA technically, but the technical provision and processing of the data for the operation of the Services takes place in the European Union. However, when you submit data to us, it will be legally transferred to a country outside the EEA, as we have our registered office in the People's Republic of China. In addition, our development company is also based in China, from where it has technical access to the servers in the European Union. According to the GDPR, China is a so-called "Third Country" in which an adequate level of data protection cannot be guaranteed in principle; there is no corresponding decision on adequacy and there are also no specific guarantees to compensate for this deficit. However, we have concluded strict Data Processing Agreements and standard contractual clauses that work towards a secure level of data protection. What do we mean with the information about China? It means that we may have to transmit data to government agencies there under less stringent conditions than is the case within the EEA. The legal hurdles to the protection of personal data in China are thus generally regarded as lower from a European point of view, as would also be the case for processing in Australia, Russia or India, for example. Until 17.05.2018 (= preparation of this document) there has not been a single case of disclosure of Data to Chinese authorities, also because as a former British colony, Hong Kong continues to enjoy a special status until at least 2047, despite belonging to the People’s Republic of China. In preparation towards GDPR, we have committed ourselves to full transparency in accordance with the GDPR and are therefore happy to comply with this legal requirement and our voluntary commitment, although this transparent approach may at first unsettle some users. Due to the use of external service providers, some data is also transferred to other so-called "Third Countries". You can see exactly what these are and whether there is an adequate level of data protection in each case under point 4c.

7. How Long Will My Data Be Stored?

We process and store your personal data as long as it is necessary for the fulfilment of our contractual or legal obligations. Therefore, we store the data only as long as our contractual relationship with you exists and also after termination only, as far as the laws of the Federal Republic of Germany and the People's Republic of China require this. If the data are no longer necessary for the fulfilment of such obligations, they will be regularly and promptly deleted, unless their further processing is necessary for the protection of legitimate interests or for the preservation of evidence within the framework of statute of limitations.

8. Information on the Voluntary Nature of the Information

You are not required by law to provide us with the above information. In principle, the contractual relationship that you have entered into with us by agreeing to our General Terms and Conditions does not give rise to any obligation to provide this personal data. However, the transmission of mandatory information is a basic prerequisite for concluding a contract with us. Furthermore, you cannot use the Services, or only to a limited extent, if you do not provide us with certain data or object to their use. This is because our Services are essentially only ‘brought to life’ by the content posted by our users. It is not possible to delete an uploaded and approved profile photo if it’s the only one in your profile. However, you could at any time replace your profile picture or delete the entire profile.

9. Information About Your Rights

You can assert the following rights:

Your right to information and access under Article 15 GDPR,

Your right to rectification under Article 16 GDPR,

Your right to erasure under Article 17 GDPR,

Your right to restriction of processing under Article 18 GDPR and

Your right to data portability under Article 20 GDPR.

If you have any questions in this regard, please contact customer service at support [at] hallokoko.com. You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent issued to us prior to the validity of the GDPR, i.e. before May 25, 2018. However, this revocation will then only be effective for the future. Processing that took place before the revocation is not affected by this. In addition, you have a right of appeal to the competent data protection supervisory authority. This can be the supervisory authority of the representative named under point 1, or the supervisory authority responsible for your place of residence.

10. Information About Your Right of Objection

a. Right of objection on a case-by-case basis

In addition to the rights already mentioned, you have the right to object at any time for reasons arising from your particular situation to the processing of personal data concerning you, which is based on Article 6 para. 1e GDPR (data processing in the public interest) and Article 6 para. 1f GDPR (data processing on the basis of a balance of interests). If you file an objection, we will no longer process your personal data, unless we can prove compelling reasons worthy of protection for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

b. Right of objection on the processing of data for advertising purposes

You also have the right to object at any time to the processing of personal data concerning you for the purpose of direct marketing. If you object, we will no longer process your personal data. Please also note the information in Section 8 of this Privacy Policy: If we terminate the processing due to your objection, it may be that the Services can no longer or only to a limited extent be made available to you. The objection can be made informally and should be addressed to support [at] hallokoko.com if possible.